Critical
VMSA-2022-0033
5.9-9.3
2022-12-13
2022-12-13 (Initial Advisory)
CVE-2022-31705
VMware ESXi, Workstation, and Fusion updates address a heap out-of-bounds write vulnerability (CVE-2022-31705)
1. Impacted Products
- VMware ESXi
- VMware Workstation Pro / Player (Workstation)
- VMware Fusion Pro / Fusion (Fusion)
- VMware Cloud Foundation
2. Introduction
A heap out-of-bounds write vulnerability in VMware ESXi, Workstation, and Fusion was privately reported to VMware. Updates and workarounds are available to remediate this vulnerability in affected VMware products.
3. Heap out-of-bounds write vulnerability in EHCI controller (CVE-2022-31705)
Description
VMware ESXi, Workstation, and Fusion contain a heap out-of-bounds write vulnerability in the USB 2.0 controller (EHCI). VMware has evaluated the severity of this issue to be in the Critical severity range with a maximum CVSSv3 base score of 9.3.
Known Attack Vectors
A malicious actor with local administrative privileges on a virtual machine may exploit this issue to execute code as the virtual machine’s VMX process running on the host. On ESXi, the exploitation is contained within the VMX sandbox whereas, on Workstation and Fusion, this may lead to code execution on the machine where Workstation or Fusion is installed.
Resolution
To remediate CVE-2022-31705 apply the patches listed in the ‘Fixed Version’ column of the ‘Response Matrix’ found below.
Workarounds
Workarounds for CVE-2022-31705 have been listed in the ‘Workarounds’ column of the ‘Response Matrix’ below.
Additional Documentation
None.
Acknowledgements
VMware would like to thank the organizers of GeekPwn 2022 and Yuhao Jiang for reporting this issue to us.
Notes
None.
Response Matrix:
Product | Version | Running On | CVE Identifier | CVSSv3 | Severity | Fixed Version | Workarounds | Additional Documentation |
ESXi | 8.0 | Any | CVE-2022-31705 | moderate
| None | |||
ESXi | 7.0 | Any | CVE-2022-31705 | moderate
| None | |||
Fusion | 13.x | OS X | CVE-2022-31705 | N/A | N/A | Unaffected | N/A | N/A |
Fusion | 12.x | OS X | CVE-2022-31705 | critical
| 12.2.5 | None | ||
Workstation | 17.x | Any | CVE-2022-31705 | N/A | N/A | Unaffected | N/A | N/A |
Workstation | 16.x | Any | CVE-2022-31705 | critical
| 16.2.5 | None |
Impacted Product Suites that Deploy Response Matrix Components:
4. References
VMware ESXi 8.0 ESXi80a-20842819
Downloads and Documentation:
https://my.vmware.com/group/vmware/patch
https://docs.vmware.com/en/VMware-vSphere/8.0/rn/vsphere-esxi-80a-release-notes/index.html
VMware ESXi 7.0 ESXi70U3si-20841705
Downloads and Documentation:
https://my.vmware.com/group/vmware/patch
https://docs.vmware.com/en/VMware-vSphere/7.0/rn/vsphere-esxi-70u3i-release-notes.html
VMware Workstation 16.2.5
https://customerconnect.vmware.com/en/downloads/info/slug/desktop_end_user_computing/vmware_workstation_pro/16_0
https://docs.vmware.com/en/VMware-Workstation-Pro/16.2.5/rn/vmware-workstation-1625-pro-release-notes/index.html
VMware Fusion 12.2.5
Downloads and Documentation:
https://customerconnect.vmware.com/downloads/info/slug/desktop_end_user_computing/vmware_fusion/12_0
https://docs.vmware.com/en/VMware-Fusion/12.2.5/rn/vmware-fusion-1225release-notes/index.html
KBs:
https://kb.vmware.com/s/article/87617
https://kb.vmware.com/s/article/79712
https://kb.vmware.com/s/article/90336
Mitre CVE Dictionary Links:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31705
FIRST CVSSv3 Calculator:
CVE-2022-31705
ESXi: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Workstation/Fusion: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
5. Change Log
2022-12-13 VMSA-2022-0033
Initial security advisory.
6. Contact
E-mail list for product security notifications and announcements:
https://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce
This Security Advisory is posted to the following lists:
security-announce@lists.vmware.com
bugtraq@securityfocus.com
fulldisclosure@seclists.org
E-mail: security@vmware.com
PGP key at:
https://kb.vmware.com/kb/1055
VMware Security Advisories
https://www.vmware.com/security/advisories
VMware Security Response Policy
https://www.vmware.com/support/policies/security_response.html
VMware Lifecycle Support Phases
https://www.vmware.com/support/policies/lifecycle.html
VMware Security & Compliance Blog
https://blogs.vmware.com/security
Twitter
https://twitter.com/VMwareSRC
Copyright 2022 VMware Inc. All rights reserved.
Read full article (vmware.com)
All content and images belong to their respected owners, this article is curated for informational purposes only.